-----BEGIN PGP SIGNED MESSAGE-----
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Teun Nijssen Index : S-99-33
Distribution : World Page : 1
Classification: External Version: 1
Subject : CERT Summary Date : 03-Sep-99
===============================================================================
By courtesy of CERT/CC we received a CERT Summary. CERT-NL does not always
replicate this material, as interested parties are expected to read them
after being attended to its arrival by the "notifier'. This summary (mainly
the "recent activities" part is deemed) of sufficient interest to distribute
it widely.
CERT Summary CS-99-03
August 31, 1999
Each quarter, the CERT. Coordination Center (CERT/CC) issues the CERT
summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from
http://www.cert.org/summaries/
______________________________________________________________________
New CERT/CC PGP Key
On October 4, 1999, the current PGP key for the CERT/CC will be
replaced with a new PGP key. For more information, see
http://www.cert.org/pgp/newpgp.html
______________________________________________________________________
New "CERT/CC Current Activity" Web Page
The CERT/CC Current Activity web page is a regularly updated summary
of the most frequent, high-impact types of security incidents and
vulnerabilities currently being reported to the CERT/CC. It is
available from
http://www.cert.org/current/current_activity.html
The information on the Current Activity page will be reviewed and
updated as reporting trends change.
______________________________________________________________________
Recent Activity
Since the last CERT summary, issued in May 1999 (CS-99-02), we have
noted several vulnerabilities in RPC services, and we have analyzed
and published information regarding the ExploreZip worm. We also
continue to see widespread scans for known vulnerabilites.
Protect your systems. Use current software versions, install patches
as they become available, and update your scanning tools and
anti-virus software with the latest virus signatures or definitions.
Be cautious of unsolicited documents or executable programs received
in electronic mail. Be wary of software that comes from untrusted
sources.
1. RPC Vulnerabilities
We have received many reports of exploitations involving three RPC
vulnerabilties. Such exploitations can lead to root compromise on
systems that implement these RPC services. Analysis has shown that
similar artifacts have been found on compromised systems. The
vulnerable services are
rpc.cmsd
Remote and local users can execute arbitrary code with the
privileges of the rpc.cmsd daemon, typically root. This
vulnerability is being exploited in a significant number of
incidents reported to the CERT/CC. For more information see
CERT Incident Note 99-04
http://www.cert.org/incident_notes/IN-99-04.html
CERT Advisory CA-99-08
http://www.cert.org/advisories/CA-99-08-cmsd.html
statd and automoutd
Vulnerabilities in these two services are being used together by
intruders to gain access to vulnerable systems. The first
vulnerability is in rpc.statd, a program used to communicate state
changes among NFS clients and servers. The second vulnerability is
in automountd, a program used to automatically mount certain types
of file systems. The vulnerability in rpc.statd may allow a remote
intruder to call arbitrary RPC services with the privileges of the
rpc.statd process, typically root. The vulnerablility in
automountd may allow a local intruder to execute arbitrary
commands with the privileges of the automountd service.
By combining attacks exploiting these two vulnerabilities, a
remote intruder is able to execute arbitrary commands with the
privileges of the automountd service. For more information see
CERT Incident Note 99-04
http://www.cert.org/incident_notes/IN-99-04.html
CERT Advisory CA-99-05
http://www.cert.org/advisories/CA-99-05-statd-automountd.html
ttbserverd
The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC
service that manages objects needed for the operation of the
ToolTalk service. ToolTalk-enabled processes communicate with each
other using RPC calls to this program, which runs on each
ToolTalk-enabled host. This program is a standard component of CDE
(Common Desktop Environment), which is a standard component of
many commercial Unix operating systems.
Due to an implementation fault in rpc.ttdbserverd, it is possible
for a malicious remote client to formulate an RPC message that can
lead to a buffer overflow. This buffer overflow can result in an
attacker gaining total control of the ttdbserver process. An
intruder may be able to use this control to gain root-level
privileges.
CERT Incident Note 99-04
http://www.cert.org/incident_notes/IN-99-04.html
CERT Advisory CA-98-11
http://www.cert.org/advisories/CA-98.11.tooltalk.html
2. Virus and Trojan Horse Activity
We continue to see reports of virus activity. Current versions of
anti-virus software can help to protect your systems from these
viruses.
It is important to take great caution with any email or Usenet
attachments that contain executable content. If you receive a
message containing attachments, scan the message file with
anti-virus software before you open or run the file. Doing this
does not guarantee that the contents of the file are safe, but it
lowers your risk of virus infection by checking for viruses and
Trojan horses that your scanning software can detect.
ExploreZip.exe
The ExploreZip program is a Trojan horse affecting Windows
95/98/NT systems. It modifies system files and destroys files. For
ExploreZip to work, a person must open or run an infected email
attachment, which allows the program to install a copy of itself
on the victim's computer and enables further propagation.
ExploreZip may also behave as a worm, propagating to other network
machines without human interaction. For more information see
CERT Advisory CA-99-06 ExploreZip Trojan Horse Program
http://www.cert.org/advisories/CA-99-06-explorezip.html
CERT Advisory CA-99-02 Trojan Horses
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html
3. Continued Widespread Scans
We are still receiving daily reports of intruders using tools to
scan networks for multiple vulnerabilities. Intruder scanning
tools continue to become more sophisticated, varying from scripted
tools and stealth scanning techniques to a tool that incorporates
probes for known vulnerabilities, remote operating system
identification, and automated exploitation attempts. For more
information, see
"sscan" Scanning Tool
http://www.cert.org/incident_notes/IN-99-01.html
Automated Scanning and Exploitation
http://www.cert.org/incident_notes/IN-98-06.html
Probes with Spoofed IP Addresses
http://www.cert.org/incident_notes/IN-98-05.html
Advanced Scanning
http://www.cert.org/incident_notes/IN-98.04.html
New Tools Used for Widespread Scans
http://www.cert.org/incident_notes/IN-98.02.html
The most frequent reports involve well-known vulnerabilities in
mountd, IMAP, POP3, and several RPC services. These services are
installed and enabled by default in some operating systems. See
the following advisories for more information:
sunrpc (TCP port 111) and mountd (635)
http://www.cert.org/advisories/CA-98.12.mountd.html
http://www.cert.org/incident_notes/IN-99-04.html
IMAP (TCP port 143)
http://www.cert.org/advisories/CA-98.09.imapd.html
POP3 (TCP port 110)
http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
DNS (TCP port 53 [domain])
http://www.cert.org/advisories/CA-98.05.bind_problems.html
http://www.cert.org/advisories/CA-97.22.bind.html
These scans involve known vulnerabilities for which patches are
available. Protect your systems by making sure that they are
properly secured.
==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://www.surfnet.nl/surfnet/security/cert-nl.html
ftp://ftp.surfnet.nl/surfnet/net-security
In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
==============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i
iQCVAwUBN8/YofE6s6q7Tf4RAQEsTgQAkcQyEznYLOot15Y+XbLm65LLtOMKuJ6H
QZ/kvK2erK8N4sy3hpAFXIWhG2kyrxD7nfAFXKBNlXXvHvYr2aY6zztaNbp/tA2c
oVqeDjtDiIAVvE82ekmXvue2nrSIPjsk/PAtOw0H9lzsuCRR0h5i25kP3bBwdgLX
roDMCuuSLt4=
=DKVJ
-----END PGP SIGNATURE-----